We are excited to announce that we have launched our new Hive Community! HiveNation will remain as an archive, but all new posts, discussions, and articles will be created on Hive Community. You can visit our new community at thehivecommunity.aerohive.com

Keeping my SSID's secure without an AD

We are a 1:1 school district with Apple. We have 1600 devices across 3 campuses. We also heavily utilize Google Apps for Education, faculty and students alike. We have ZERO need for an active directory. We manage all the users in the Google Apps domain, and we manage the macbooks and iPads with Profile Manager, Meraki, and ARD.

Our issue: Keychain Access on Macbooks allow students to see the SSID password. They are administrators of their machines, but install profiles limit many of their abilities. Keeping an SSID password secure is next to impossible.

How can we secure our SSID's? We have 3. Staff, Student, and Guest. Each are on different VLANS.

I was thinking about MAC address filtering, but putting that many addresses on the AP doesn't seem ideal, it's also the LEAST secure way of doing anything. I really do not want to have to create and manage an Active/Open directory.

I apologize for my ignorance, but I really don't see how else to do it.

Other appliances for consideration are a barracuda 610 web filter, and x300 firewall. The firewall is my current DHCP. There does NOT appear to be a way on it to blacklist/whitelist MAC's to VLANS. Obviously, I just want students to be able to access the Student SSID. Each SSID is filtered differently in the barracuda web filter via ip groups.

If you used AD for 802.1x with vlan assignment, you could also sync AD with google through GADS and GAPS. You can do wild-card allow/deny in NPS with mac authentication and powershell to bulk import mac addresses. Or do Freeradius.